OCR fines Providence $240,000 in ransomware case

Providence Medical Institute, a Southern California-based physician services division of Providence’s seven-state healthcare system, will pay a $240,000 civil penalty to settle possible HIPAA violations following a ransomware attack.

WHY IT’S IMPORTANT
The U.S. Department of Health and Human Services’ Office for Civil Rights announced the fine on October 3, following a ransomware attack breach investigation into Providence Medical Institute’s compliance with the HIPAA Security Rule.

OCR launched the investigation after receiving an April 2018 request infringement report This suggests that the providers’ IT systems were hit by a series of ransomware attacks that allegedly compromised the electronic protected health information of some 85,000 individuals between February and March of that year.

The investigation found that servers running ePHI were encrypted three times with ransomware. OCR says it has uncovered two possible violations of the HIPAA Security Rule, including the “inability to enter into an agreement with business associates and the failure to implement policies and procedures to allow only authorized individuals or software programs to access ePHI.”

The Security Rule establishes national standards to protect electronic personal health information “created, received, used or maintained by” a HIPAA covered entity. In addition to these guardrails, it also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

“If all requirements of the HIPAA security rules are not fully implemented, HIPAA covered entities and business associates will be vulnerable to cyber-attacks, compromising the privacy and security of patient health information,” said OCR Director Melanie Fontes Rainer in a statement.

Last March, OCR released a proposal that it would impose a civil penalty on Providence Medical Institute – which waived its right to a hearing and did not contest OCR’s findings. The $240,000 fine resolves the investigation, OCR says.

THE BIG TREND
Since ransomware first made its unwelcome presence on a large scale about a decade ago, ransomware has become perhaps the most significant threat to healthcare cybersecurity. A BakerHostetler report from earlier this year found that it was used in more than 70% of network intrusions in 2023.

OCR notes that a whopping 264% increase in major ransomware-based breaches has been reported to OCR since the Providence case was reported in 2018.

HHS has the interest of the HIPAA Security Rule by providing at least a basic defense against the ransomware attack.

It calls on healthcare providers, health insurance companies, clearinghouses and their business partners to take restrictive measures, such as:

• Reviewing supplier and contractor relationships to ensure business partner agreements are in place where appropriate and to address breach/security incident liabilities

• Integrating risk analysis and risk management into business processes; are carried out regularly and when new technologies and business activities are planned

• Ensure that audit controls are in place to record and investigate information system activity.

• Implement a regular assessment of information system activity

• Implementing multi-factor authentication to ensure that only authorized users can access ePHI

• Encrypting ePHI to protect against unauthorized access to ePHI

• Integrating lessons learned from incidents into the overall security management process

• Providing training specifically in the field of organization and job responsibilities and on a regular basis; strengthen the critical role of employees in protecting privacy and security

And recently, OCR has stepped up enforcement following incidents involving ransomware incidents resulting from lax security controls. The Providence case was the fifth such fine to date. Others include a settlement earlier this year in which a behavioral health practice in Maryland paid $40,000 after a ransomware attack compromised the ePHI of 14,000 people.

Some lawmakers say that’s still not enough and are growing impatient with the steady drumbeat of ransom-based breaches.

For example, this summer, U.S. Sen. Mark Warner, D-Virginia, wrote to HHS Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger asking them to expedite the development and publication of mandatory minimum healthcare cybersecurity standards.

This past month, Warner, along with Sen. Ron Wyden, D-Oregon, introduced the Health Infrastructure Security and Accountability Act, a bill with “common sense reforms” aimed at countering disruptive cyberattacks. The legislation would mandate certain basic cybersecurity protocols while increasing funding to help small and rural hospitals meet the new standards — and also allow for stiff penalties for healthcare executives who lie about their organizations’ cyber hygiene.

In the meantime, HHS continues to offer many resources to help HIPAA covered entities mitigate ransomware and other cybersecurity threats.

ON THE RECORD
“The healthcare industry must get serious about cybersecurity and HIPAA compliance,” Fontes Rainer said of the Providence fine. “OCR will continue to champion patient privacy and work to ensure the security of every person’s health information. On behalf of OCR, I urge all healthcare institutions to always remain alert and take all precautions and steps to protect their systems from cyber-attacks.”